This is a Linux machine with ssh and web services. According to the different responses are generated based on different credentials, we can fuzz the credentials for login.php. After login into the system, there is version disclose of the platform. We leverage it to get foothold.

First of all, we are a low-privilege (www-data) user. Fortunately, there is a dedicated SUID program reserved for us to read password of the user (think).

After that, we can discovery that there is a sudo rule for us to read arbitrary files. We can steal the root's ssh private key!!